From c62f537f2c99513ef04595c748d392e9da36a7fd Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Fri, 15 May 2026 10:40:50 -0400 Subject: [PATCH] rgw/beast: add ssl_ciphersuites option for tls 1.3 the existing ssl_ciphers option is passed to `SSL_CTX_set_cipher_list()` which only applies to "TLSv1.2 and below". there's a separate `SSL_CTX_set_ciphersuites()` for TLSv1.3 because the frontend's default configuration for `ssl_options` accepts both 1.2 and 1.3, users may need to specify ciphers for each. that's why `ssl_ciphersuites` is introduced as a separate option Fixes: https://tracker.ceph.com/issues/76578 Signed-off-by: Casey Bodley --- doc/radosgw/frontends.rst | 6 ++++-- src/rgw/rgw_asio_frontend.cc | 15 +++++++++++++++ 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/doc/radosgw/frontends.rst b/doc/radosgw/frontends.rst index d888ab3f9247..686f1af0cc92 100644 --- a/doc/radosgw/frontends.rst +++ b/doc/radosgw/frontends.rst @@ -98,11 +98,13 @@ Options :Type: String :Default: ``no_sslv2:no_sslv3:no_tlsv1:no_tlsv1_1`` -``ssl_ciphers`` +``ssl_ciphers`` and ``ssl_ciphersuites`` :Description: Optional list of one or more cipher strings separated by colons. The format of the string is described in OpenSSL's ciphers(1) - manual. + manual. The ``ssl_ciphers`` option only applies to connections + using TLS v1.2 and below, while ``ssl_ciphersuites`` only applies + to TLS v1.3. :Type: String :Default: None diff --git a/src/rgw/rgw_asio_frontend.cc b/src/rgw/rgw_asio_frontend.cc index caa77eedbad7..694eb88c544b 100644 --- a/src/rgw/rgw_asio_frontend.cc +++ b/src/rgw/rgw_asio_frontend.cc @@ -1072,6 +1072,21 @@ int AsioFrontend::ssl_reload() { } } + std::optional ciphersuites = conf->get_val("ssl_ciphersuites"); + if (ciphersuites) { + if (!cert) { + lderr(ctx()) << "no ssl_certificate configured for ssl_ciphersuites" << dendl; + return -EINVAL; + } + + int r = SSL_CTX_set_ciphersuites(ssl_ctx->native_handle(), ciphersuites->c_str()); + if (r == 0) { + lderr(ctx()) << "no cipher could be selected from ssl_ciphersuites: " + << *ciphersuites << dendl; + return -EINVAL; + } + } + std::optional groups = conf->get_val("tls_groups"); if (groups) { if (!cert) { -- 2.47.3